Day: January 17, 2014

Summary: Eldo Kim, Harvard student, wanted to get out of a final exam so he sent in a bomb threat using Tor to disguise his location and identity. Tor’s not magic and the FBI caught him anyway.

Monday’s bomb scare at Harvard was perpetrated by a sophomore “motivated by a desire to avoid a final exam…”

Even though Eldo Kim, 20, used the Tor network, in conjunction with an anonymous email service Guerilla Mail, to hide his location and identity, the FBI didn’t have a lot of trouble locating him because he used the Harvard wireless network to send the threat. Some of the details of his critical error are spelled out in an affadavit filed by FBI Special Agent Thomas M Dalton in support of an arrest. The fact that the threats came on the day of finals was a good indicator that a student was responsible.

The affadavit doesn’t give details on how he was traced, and it worked to a point. But the FBI and school IT were able to determine who was using that software at the time the emails were sent. That pointed to Kim’s login.

Hat tip to On The Media.

[Source: ZDNet]

Summary: Nobody should find it surprising that the NSA can hack into iPhones and there’s no reason to assume Apple is helping them.

As we and everyone else are reporting, the latest poop on the NSA is that they claim to be able to hack into iPhones.

Go back through Apple’s log of security updates to their products, including iOS: there have always been many severe vulnerabilities. The general assumption out there is that nobody’s exploiting them, but the other possibility is that they are being exploited, but only very rarely in targeted attacks. The NSA would be exactly the sort of agency to do that.

Even since iOS 7 was released, vulnerabilities have been patched which could allow full compromise without the knowledge of the user. Usually you need two vulnerabilities to accomplish this: an arbitrary code execution vulnerability to gain control, and a privilege escalation vulnerability to gain admin or root privileges. Once you have this, you can install what software you want.

This, incidentally, is how jailbreaking works. Every jailbreak is based on at least one security flaw in iOS. We know these work, so we know that what the NSA claims is perfectly possible.

iOS 7.0.1 fixed many security vulnerabilities, including both code execution and privilege escalation, and there have been many others in the past. It only stands to reason that researchers (and their customers, including the NSA) have access to vulnerabilities which have not yet been disclosed to Apple or patched.

Of course none of this is verifiable by us ordinary civilians, but for me the NSA’s apparent claim of a 100% success rate in installing malware is a bit fishy. Unless they have an over-the-air, network-based exploit, something which executes automatically, then they still have to socially-engineer the user some. Good, targeted social engineering (sometimes a.k.a. “spear phishing”) can get very good results, but 100%? I don’t think so. And I very much doubt that they have an auto-executing, over-the-air compromise of iOS; someone else would have found it by now.

So don’t assume that Apple must be cooperating. I would assume the contrary. It would be very much against their interests to cooperate. Remember that any super-backdoor built into the OS could be used by anyone who finds it. Not all of them are the good guys, like the NSA 😉

[Source: ZDNet]

Summary: A BBC report says thieves in Europe cut holes in ATMs in order to plug in USB drives with malware on them.

Citing a presentation at the Chaos Computing Congress in Hamburg, Germany, the BBC is reporting that thieves at European ATMs cut holes in the machines in order to access USB ports.

The thieves then inserted USB drives into the ports which then installed malware. This allowed the thieves to take control of the ATMs.

The two researchers who detailed the attacks have asked for their names not to be published.

After noticing that some ATMs were being emptied, the bank increased surveillance and noticed that attackers were physically cutting holes in the machines, inserting the drives and then patching up the holes. With the malware running, the attackers needed to enter a special 12 digit code in order to bring up a user interface which displayed how many bills of each denomination were in the machine. They could then specify how many of each to dispense. The attackers would then dispense the highest denomination bills in order to minimize the time they were at the machine.

Distrustful of the people who actually inserted the drives, the malware authors put a second one-time code process into the activation of the software which required the attacker to read a code off the screen and tell it to another gang member.

There is much information missing from this description: If the attackers were able to install malware simply by inserting a USB thumb drive, then Autorun or some such feature may have been turned on. These have been turned off in Windows by default for many years. What operating system and version were the ATMs running? Or perhaps there is some other interface device, like a keyboard, inside the ATMs, accessible through the hole. It may be that USB drives are used by ATM technicians for legitimate purposes.

In any case, it would appear that the attackers are highly sophisticated with inside knowledge of the ATM hardware and software. The BBC story also says that the malware itself was hardened against analysis.

ATM hacking is a fairly widespread problem all over the world. If you want more information, security researcher/reporter Brian Krebs has extensive reports of attacks on ATMs and other bank-related technology on his blog.

[Source: ZDNet]

A US federal judge has ruled that the NSA is within its rights to harvest millions of innocent Americans’ telephone call records under Section 215 of the Patriot Act – and that the dragnet is fine under the Fourth Amendment since the data was collected by a third-party telco, not the government.

The decision kicks the debate over the legality of the intelligence agency’s controversial mass-surveillance operations closer to the Supreme Court.

“Robust discussions are underway across the nation, in Congress, and at the White House, the question for this court is whether the government’s bulk telephony metadata program is lawful. This court finds it is,” said US District Judge William Pauley in his rulingtoday.

The court case was filed by civil-rights campaigners the ACLU in June, less than a week after thefirst document released by NSA whistleblower Edward Snowden showed that Verizon was supplying metadata on US mobile phone calls. As Verizon subscribers, the ACLU sued to get the snooping stopped with an injunction.

“We are extremely disappointed with this decision, which misinterprets the relevant statutes, understates the privacy implications of the government’s surveillance and misapplies a narrow and outdated precedent to read away core constitutional protections,” said ACLU deputy legal director Jameel Jaffer.

“As another federal judge and the president’s own review group concluded last week, the National Security Agency’s bulk collection of telephony data constitutes a serious invasion of Americans’ privacy. We intend to appeal and look forward to making our case in the Second Circuit.”

In his ruling Judge Pauley said that surveillance techniques such as those deployed by the NSA were necessary to stop terrorism, citing three cases where such data had been used to stop bomb attacks on the New York subway system, stock exchange, and other targets.

“Like the 911 Commission observed: the choice between liberty and security is a false one, as nothing is more apt to imperil civil liberties than the success of a terrorist attack on American soil,” he wrote.

“A court’s solemn duty is ‘to reject as false, claims in the name of civil liberty which, if granted, would paralyze or impair authority to defend [the] existence of our society, and to reject as false, claims in the name of security which would undermine our freedoms and open the way to oppression.”

Judge Pauley’s reasoning contrasts sharply with the December 16 ruling from District of Columbia Judge Richard J Leon, also on the legality of the Verizon data slurp. The judge described the NSA’s systems as “almost Orwellian,” and said he wasn’t convinced about the government’s claims that such data was needed for rapid-response anti-terrorism. Judge Leon was ruling in a lawsuit brought against the Obama administration by lawyer Larry Klayman and other privacy campaigners.

In both cases the judges gave leave to appeal, and it now looks certain that the Supreme Court will have to rule on the matter. How quickly it does so is largely up to the nine-person panel itself, but it seems likely that the court will rule sooner rather than later. ®

[Source: The Register]

Entities claiming to represent the Syrian Electronic Army (SEA) have hacked Skype’s social media presences and used them to post anti-Microsoft messages.

Here’s one of the defacements, from Skype’s Twitter account.

Hi! Microsoft here. Don’t use our stuff. Really. Take our word for it.

Skype’s blog was also accessed and quickly became host to posts calling for Skype to stop allowing the NSA to access its back end, as has recently been alleged Edward Snowden.

The fun lasted a few hours before Skype wrestled control of its social media properties back from the alleged SEA members. The VoIP service has since posted the following all-clear to Twitter.

That the Skype blog was accessed makes the incident considerably embarrassing to Skype and therefore to Microsoft, as it shows neither is drinking strong password kool-aid. With Skype being baked into all manner of Redmondware, questions about just how it was possible for the company blog to be accessed may well be worth asking before adopting the service in-house. ®

[Source: The Register]